Hello,
A while back I posted a question on another discussion thread regarding re-issuing new root CA with FQDN - http://social.technet.microsoft.com/Forums/windowsserver/en-US/c3d88348-f4e6-456f-b319-e60a38febdcb/possible-to-reissue-rootca-certificate-to-change-a-few-settings-in-capolicyinf?forum=winserversecurity#858918e4-f8ac-42b8-9e30-0c01d6fabbc8
Needless to say, I'm not a PKI expert and there was a concern with our two two-tier hierarchy PKI servers having shortnames in the certificates instead of FQDNs. Granted, the root CA is NOT domain-joined and wouldn't have had a FQDN to begin with because its not part of Active Directory but I ended up creating new pair of servers for a new two-tier hierarchy anyways.
So now, I have two offline root CAs in a workgroup and twodomain-joined issuing CAs. I have already added the additional new root CA's certificate to AD and a quick glance at "PKIVIEW.MSC" shows an "OK" status - no errors. I logged on to one of our domain controllers, opened the Local Computer CERTIFICATE store and saw under PERSONAL that there's 4 certs with the DCs name all issued by the first issuing CA.
How do I make the new issuing CA the preferred issuing CA? The plan is to decommission the current (first) issuing CA and delete he current (first) root CA since I create a whole new pair.